SSAE 16 reporting, specifically Type 1 and Type 2 assessments, are being required by more and more organizations today, especially those that provide critical outsourcing functions for other entities. Think of payroll companies, Third Party Administrators (TPA), data centers - just to name a few - and you're on the right track. With such prominence being placed on SSAE 16 reporting, it's important to learn about the ACIPA standard that effectively replaced the longstanding SAS 70 auditing standard from 1992. As such, take note of the following five (5) important things to know about SSAE 16 reporting:
1. Welcome to the AICPA SOC framework. That's right, welcome to SOC, and goodbye to SAS 70. The SOC framework, which is officially known as the "Service Organization Control" reporting platform, was a comprehensive undertaking by the American Institute of Certified Public Accountants' (AICPA) attempt to revamp reporting on controls at service organizations. This ultimately led to SOC 1, SOC 2, and SOC 3 reports, for which a service organization can now choose any or all of the three for their reporting options. This is a radical departure from the one-size-fits-all approach of the historical SAS 70 auditing standard, and a change that was greatly needed for today's complex business arena.
2. SOC 1 & SSAE 16 Reporting. SSAE 16 is actually the AICPA professional standard for which SOC 1 reports are issued under, ultimately resulting in the issuance of SSAE 16 Type 1 and Type 2 reports. Be aware that you’ll often hear numerous terms alluding to SSAE 16 reports, such as “SOC 1 compliance", "SOC 1 reporting", and other commonly accepted verbiage. For an ounce of clarity, keep in mind that SSAE 16 and SOC 1 are similar in terms of discussions. SOC 1 is the reporting framework, while SSAE 16 is the professional standard. It can get somewhat confusing with three (3) SOC reporting options and two (2) professional standards (SSAE 16 and AT 101) in use.
3. SOC 2 & AT 101 Reporting. If you've heard about SSAE 16 and SOC 1, then chance are you've caught a glimpse of SOC 2 and AT 101. Specifically, SOC 2 is the reporting option under the AICPA SOC framework that's been designed for many of today's growing and emerging technology oriented service organizations, such as the following: data centers, Software as a Service (SaaS) entities, managed services providers, and others. As for AT 101, it is the professional standard used for issuing SOC 2 reports. While a large number of service organizations have opted for SOC 2 reporting, SOC 1 SSAE 16 reports are still dominating the landscape, but this could change over time as companies began to see the true value of SOC 2 reporting. And while AT 101 is the professional standard used for reporting on SOC 2 engagements, the Trust Services Principles (TSP) – principles and criteria relating to information technology - are the measures for which SOC 2 reports are examined against.
4. SOC 3 & SysTrust and WebTrust. The Trust Service Principles (TSP) is a joint effort by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) that essentially include a set of professional attestation and advisory services based on a core set of principles and criteria that addresses the risks and other relevant issues regarding information technology systems. As such, service organizations can opt for SOC 3 compliance under one or more of any of the five (5) Trust Service Principles, which are the following: (1). Security. (2). Availability. (3). Processing Integrity. (4). Confidentiality. (5). Privacy. Learn more about the Trust Service Principles and SysTrust and WebTrust from the both the AICPA and the CICA.
5. Policies and Procedures are Important. That's right, an important component of highly successful SOC reporting is the ability to for service organizations to have in place a comprehensive set of operational and information security documents. From firewall policies to change management documents - just to name a select few - policies and procedures are absolutely critical to the success of SOC 1, SOC 2, and SOC 3 reporting. In fact, no matter what the regulatory compliance framework it is that you must adhere to, they essentially all share one common theme - the need for documented policies and procedures. SSAE 16 reporting will require these documents, so it's highly recommended to find a comprehensive set of templates.